Description
The Dynamic Data Mapping module in Liferay Portal 7.4.3.67, and Liferay DXP 7.4 update 67 does not limit Document and Media files which can be downloaded from a Form, which allows remote attackers to download any file from Document and Media via a crafted URL.
Remediation
References
https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33948
Related Vulnerabilities
CVE-2016-5016 Vulnerability in maven package org.cloudfoundry.identity:cloudfoundry-identity-common
CVE-2022-2191 Vulnerability in maven package org.eclipse.jetty:jetty-server
CVE-2019-13173 Vulnerability in maven package org.webjars:fstream
CVE-2021-21347 Vulnerability in maven package com.thoughtworks.xstream:xstream
CVE-2023-29526 Vulnerability in maven package org.xwiki.platform:xwiki-platform-rendering-async-api